On Automata with Boundary 



R. Gates* 

Department of Computing, Division of ICS, 
Macquarie University, N.S.W. 2109, Australia 

P. Katis* \ 

Dipartimento Scienze Chimiche, Fisiche e Matematiche, 
Universita degli Studi dell'Insubria 

N. Sabadinr , 

Dipartimento Scienze Chimiche, Fisiche e Matematiche, 
Universita degli Studi dell'Insubria 

R.F.C. Walters** 

Dipartimento Scienze Chimiche, Fisiche e Matematiche, 
Universita degli Studi dell'Insubria 

February 1, 2008 



Abstract 

We present a theory of automata with boundary for designing, mod- 
elling and analysing distributed systems. Notions of behaviour, design and 
simulation appropriate to the theory are defined. The problem of model 
checking for deadlock detection is discussed, and an algorithm for state 
space reduction in exhaustive search, based on the theory presented here, 
is described. Three examples of the application of the theory are given, 
one in the course of the development of the ideas and two as illustrative 
examples of the use of the theory. 



1 Introduction 



In this paper, we shall present an introduction to and overview of the theory of 
automata with boundary - a transition system based approach to the problem of 
designing, modelling and analyzing distributed systems. The treatment explic- 
itly models the boundaries between subsystems, across which they communicate 
when part of a larger system. We describe notions of comparison and simulation 
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of automata that allow abstractions to be performed in a compositional manner. 
We give a notion of behaviour for these automata which works fluidly with 
the operations used to construct systems and the simulations used to abstract 
systems. Finally, we observe that this approach explicitly captures the design 
of a system as an element of the theory, and we describe some of the advantages 
of this. 

In section |^, we present a general introduction to automata with boundary, 
behaviour, the operations used to construct systems from subsystems, and the 
notion of a design. This section develops the example of the dining philosophers 
in conjunction with the theory to show the reader how this well known example 
is treated using the ideas of this paper. 

In section [| we address the problem of model checking, specifically focusing 
on deadlock detection. We describe an algorithm (the minimal introspective sub- 
system algorithm) which utilises the design information for the system to assist 
in reducing the search space required for exhaustive model checking techniques. 
The section concludes with a description of the behaviour of the algorithm when 
applied to the dining philosophers example. 

In section ||, we define comparison and simulation of automata, and describe 
the sense in which they are compositional, and the connection with behaviour 
and deadlock detection. We also give examples of simulations related to the 
dining philosophers, and indicate how simulations can be used to assist model 
checking, or to theoretically analyze systems of interest. 

In section |L we give two further examples of the theory - the design of a 
simple scheduler, and a message acknowledgement protocol. This section further 
illustrates the use of the theory and indicates the range of applicability. 

The underlying mathematical formalism of the approach is that of category 
theory (see Q or [p2[ ) and more specifically Cartesian bicategories (see ||). 
We stress, however, that no background in category theory is required in this 
paper - all the required definitions and results are stated in terms of transition 
systems, although we occasionally indicate in passing some key connections. 

This paper forms part of an ongoing research project to develop a com- 
positional theory of distributed systems using categorical structures. For an 
overview of the work of the project and the breadth of interpretation of 'dis- 
tributed system', see |fl3|| . The material in the current paper stems from work 
on the bicategory Span(Graph) : in jj^l , this bicategory was shown to have 
precise connections with the algebra of transition systems of Arnold and Nivat 
((!]), and with the process algebras of Hoare (@); and, in |fTl|| , this bicategory 
was shown to be expressive enough to model place/transition nets (fl8[|). 

2 Automata with Boundary 

The goal of this section is to present automata with boundary as a model for 
systems composed from a number of communicating parts. The boundaries form 
an integral part of our theory - all interactions of a system with its environment 
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occur across its boundaries. We discuss behaviours of an automaton, and how 
these behaviours appear on boundaries of the automaton. Requirements on 
automata can be expressed by restricting the behaviours of an automaton as 
they appear on given boundaries. We describe the operations bind, feedback, 
and product of automata with boundary, enabling larger systems to be built 
by combining smaller systems in a way that interacts well with behaviours. 
Importantly, these operations can be represented pictorially as designs, allowing 
us to give high level views of systems. 

As we introduce the basic definitions, we shall present an example illustrating 
the concepts being defined. We shall use the example of the dining philosophers, 
much favoured amongst works on distributed systems. 



2.1 Automata with Boundary 

The use of finite state automata to model transition systems has a long history 
(see Q). In this paper, an automaton will consist of a reflexive graph plus other 
data. A reflexive graph consists of a directed graph (with parallel edges and 
loops allowed), together with a specified reflexive edge v — > v for each vertex v 
of the graph. We do not insist that our automata be finite, but all the examples 
we present are finite. We do restrict our attention to finite automata when 
considering model checking. 

A crucial element of our theory is that of boundary. All boundaries are typed 
by the kind of synchronization actions which can occur across the boundary. By 
an action set we mean a finite set X with a distinguished element, denoted — . 
We refer to elements of X as actions, and — as the trivial, or reflexive action. 

An automaton with boundary (S, (X,-, consists of the following data: 

1. A reflexive graph S, called the state space of the automaton, whose vertices 
are termed states and whose edges are termed motions. 

2. A finite set / indexing the boundaries of the automaton. 

3. For each i £ I, a boundary (Xi,fii) consisting of an action set X, and a 
labelling iiiie) of each motion e by an element of Xi, such that (Ai(e) is 
trivial if e is reflexive. 

Note that the state space of the automaton is the reflexive graph S - it includes 
not only the states but the motions of the automaton, which provide the cohesion 
of the states to justify the terminology of a space. We have in mind that the 
reflexive edges of the state space S are idling motions - see the comments after 



the definition of simulation (section 4.2) for a further exploration of this view 



The labelling of the motions indicates the actions on the boundaries which 
accompany given motions, and we require that if the automaton is idling, then 
it is idling on each boundary. Of course, nontrivial motions (i.e., motions which 
are not reflexive), may still idle on some or all boundaries. Those motions 
idling on all boundaries are called internal motions. They reflect the ability of 
an automaton to change state without this being reflected in its interaction with 
the environment. 
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We shall occasionally say a motion of S performs an action on a boundary to 
mean that it is labelled by the specified action on the specified boundary. Note 
also that while a boundary consists both of the action set X and the labelling 
of motions /i, we shall often speak of the boundary X when no confusion arises. 
We shall say the type of a boundary (X, fi) to mean the action set X. 

It is also worth noting that to give an action set is precisely to give a reflexive 
graph with one vertex. That is, the action set may be considered to be an 
automaton with trivial state. While not explored in this paper, a more general 
theory of this kind can relax this restriction, and allow one to calculate with 
boundaries which possess internal state. 



2.1.1 Two boundary Automata 

When dealing with an automaton, we typically focus temporarily on a subfamily 
of the boundaries over which some operation is being performed - for example 
the gluing of boundaries (i.e., binding - see section |2.3.1 below). Given a 



subset J of the set / indexing the boundaries of S, we may write S as an 
arrow 

n*i— n x * 

jeJ kei\j 

and picture the motions of S as being labelled in the two products via tu- 
pling of the labelling on individual boundaries. We shall typically abbreviate 
to just S: X — ► Y when we wish to emphasize the division, rather than the 
particular boundaries. In this case, we shall term X the left boundary, and Y 
the right boundary, of S. The passage from the product of Xi's to the single 
object X may be seen as the collection of a bundle of wires into a single cable 
for purposes of hierarchical design. This view gives the connection between 
automata with boundary and the theory of bicategories (see (hJ). 

This passage between multiple boundary and two boundary automata al- 
lows for a more natural and workable definition of the operations on automata, 
without sacrificing either expressive power or precision. 



2.1.2 Pictorial representation of Automata 

When describing automata, we typically draw pictures by drawing the state 
space of the automaton, with edges labelled to indicate the actions performed 
by the motions. For an automaton S: X — > Y, we write the label (x\y) to 
indicate the motion performs the action x on the left boundary and the ac- 
tion y on the right boundary. We shall omit drawing reflexive edges, as they 
add no information to the picture - however the existence of these edges is 
crucial, as they allow subautomata in bound systems to act independently (see 



section 2.3.1, below). 

We can depict automata with other than two boundaries in a similar man- 
ner. For an automaton with boundaries indexed by /, the labels on motions 
are /-tuples with entries drawn from the types of the corresponding boundary. 
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Figure 1: A Philosopher P 
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Figure 2: A Fork Q 



In this case, we make explicit the correspondence between tuple entries and 
boundaries. 

2.1.3 Automata for the Dining Philosophers 

For the example of the dining philosophers, we shall present two automata with 
boundary - a philosopher and a fork. Each philosopher will have two boundaries 
(the left and the right fork from her perspective), and each fork will likewise 
have two boundaries (the philosophers who can manipulate the fork). We shall 
thus have an action set L, and and automata with boundary P: L — > L (a 
philosopher) and Q: L — > L (a fork). 

The action set L consists of the actions which a philosopher and a fork 
jointly perform. A given nontrivial action on which a philosopher and a fork 
synchronize consists of the fork being either picked up or put down. We model 
this by taking the action set L = { — , lock, unlock}. 

The philosopher P is shown in figure [I]. The philosopher has four states, 
corresponding to whether she is attempting to acquire her left fork, acquire her 
right fork, relinquish her left fork, or relinquish her right fork. The motions 
between these states are labelled by the boundary actions performed by the 
motion. 

The fork Q is shown in figure [| The fork has three states, corresponding 
to whether it is unacquired (state u), acquired by its left boundary (state I), or 
acquired by its right boundary (state r). Once again, the motions are labelled 
by the boundary actions they perform. 
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2.2 Behaviour of Automata 



For an automaton S: X — > Y and a state v of S, a behaviour {3 of S with 
initial state v is a sequence of motions (e , ei, . . .) (finite or infinite) of 5 such 
that s(e ) = «o an d s (ek+i) = i(efe) (for all appropriate fc). That is, a behaviour 
of S is nothing more than a path in its state space. We write such behaviours 



Given a boundary (X, ^l) of S, any behaviour of S is reflected on the bound- 
ary via \i. Precisely, by the appearance of a behaviour [3 = (e ,ei, . . .) on X 
we mean the sequence of actions (/x(eo), ni&i), ■ ■ ■)■ We say a behaviour of S on 
a boundary X to mean a sequence which is the appearance of some behaviour 
of 5 on X. Finally, we shall refer to reduced appearances and behaviours on 
boundaries to mean sequences obtained by eliding all trivial actions from an 
appearance or behaviour. It is crucial to note that a reduced appearance or 
behaviour need not be an actual appearance or behaviour, as nontrivial motions 
of 5* may appear to be trivial actions on a given boundary. 

An automaton gives rise to a relation between behaviours on its boundaries. 
Given a behaviour of S on the boundary X and a behaviour of S on the 
boundary Y , we may say these are related if they are the appearances of the 
same behaviour of S on the boundaries in question. It is typical to specify a 
system by requesting this be a specific relation, or by requesting properties of 
this relation. For example, performing a given set of actions on the keypad of 
an automatic teller machine (one of its boundaries) is required to result in cash 
being dispensed (the action performed by the machine on the boundary with 
the cash dispenser) and in an amount being deducted from the user's account 
(the action performed by the machine on its boundary with the bank's account 
record). 

For an automaton S: X — > Y and a given state v of S, by the subautomaton 
of S reachable from v we mean the automaton S':X — ► Y with states those 
states v' of S such that exists a behaviour of S of the form 

v . . . ► v' 

That is to say, there is a path of motions of S from v to v'. The motions of S' 
are all motions of S between states of S', and the boundaries and labelling of S' 
are inherited directly from S. 

We shall often assign to an automaton S of interest an initial state - that 
is, a specified state vo of S. In this case we speak merely of behaviours of S to 
mean behaviours of S with initial state vo, and the reachable subautomaton to 
mean the subautomaton reachable from uo- 

The interpretation of time implied by this treatment of behaviour is that of 
'discretized continuous time' - there is an underlying continuous time which is 
being discretely approximated by some fixed time interval. An aspect of this 
continuity is contained in the use of the motions - each motion represents an 
atomic transition with the same duration. We distinguish this from a purely 
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'discrete time', in which the motions are atomic processes which may have 
different durations. 

Thus while synchronization may be viewed as a real world process which 
takes variable time - we model an instance of such a synchronization by a 
behaviour consisting of internal motions bracketed by atomic synchronizing 
transitions of the same duration. 



2.2.1 Behaviour for the Dining Philosophers 



Returning to the dining philosopher example of section 2.1.3, we choose the 
state of the philosopher (figure |l|) to be the initial state. A behaviour of the 
philosopher then consists of a repeating sequence of the cycle "lock left bound- 
ary", "lock right boundary" , "unlock left boundary, "unlock right boundary" , 
possibly interspersed with reflexive edges. The reduced appearance on a given 
boundary is simply an alternating sequence of "lock" , "unlock" actions. 

With the state u as initial, a behaviour of the fork (figure |^) consists of 
a sequence of "lock boundary", "unlock boundary" pairs, with the boundary 
possibly differing from pair to pair, and again possibly interspersed with reflexive 
edges. Again, the reduced appearance on a given boundary is an alternating 
sequence of "lock", "unlock" actions. 



2.3 Operations: Binding, Feedback and Product 

We describe three operations which may be used to construct new automata with 
boundary from old. In each case, we have a diagrammatic view of the operation, 
which should be considered to be a design - an expression in variable, or unim- 
plemented, automata. It is an important feature of the methodology presented 
here that we can depict operations on systems without depicting the internals 
of the systems, thus allowing hierarchical design. The connection between the 
operations discussed here and Hoare's parallel operation is discussed in fll2f , 
section 4. 

For each operation, we describe the effect of the operation on behaviours, 
in the sense that we describe the behaviours of the new system in terms of the 
behaviours of the given automata. It is an important feature of our theory that 
the operations on automata work fluidly with the notion of behaviour described 
in section [2~2[ 

Each operation is described here for two boundary automata - as noted in 
section |2.1.l| this is sufficient to describe it for all automata. 



2.3.1 Binding 

The first operation we consider is binding. Given two automata with a common 
boundary, say S: X — > Y and T: Y — > Z, we can produce a new automaton, 
their binding, denoted S ■ T. A state of S ■ T is a pair (v,w), where v is a 
state of S and w is a state of T. A motion (v,w) — * (v',w r ) of S ■ T consists 
of a pair (e, /), where e:v — > v' is a motion of S and f:w — > w' is a motion 
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of T, and such that e and / perform the same action on the boundary Y . A 
given motion (e, /) of S ■ T: X — ► Z is labelled on the boundary X by the 
action e performs on X (in S), and is labelled on the boundary Y by the 
action / performs on Z (in T). If each of S and T have initial states t>o and vjq 
respectively, we take (v ,wo) as the initial state of the binding. 

The binding S ■ T thus has states the Cartesian product of the states of S 
and T, but motions the subset of the Cartesian product of motions consisting of 
those on which the automata S and T synchronize on the common boundary Y. 
The reflexive motions of T allow S to move independently of T, provided S is 
performing trivial actions on the common boundary. 

Binding models two automata communicating by synchronizing on a com- 
mon boundary. We draw diagrams of bound systems by connecting the bound- 
aries of the automata being bound. 

We draw the binding of two automata S: X — > Y and T: Y — > Z as follows: 



X 



Importantly, binding interacts well with the behaviours of automata: 

Proposition 1 Let S:X^Y and T:Y — > Z be automata with boundary. To 
give a behaviour (3 of S-T is precisely to give a behaviour 7 of S and a behaviour d 
ofT such that 7 and S have the same appearance on Y. 

2.3.2 Feedback 

Given an automaton S: X x Y —> Y x Z, we can "bind S with itself" . This 
operation, called feedback, and denoted fby(S), is used to form closed systems 
by connecting boundaries. We define fby(5):X — > Z to be the automaton 
with states precisely those of S, and motions those motions e of S such that e 
performs the same action on the factor Y of its left boundary and the factor Y 
of its right boundary. This yields an automaton with left boundary X and right 
boundary Z, where the labelling is inherited from S in the obvious manner. If S 
has an initial state vq , we take vq as the initial state of the fed back automaton. 

Just as with binding, feedback may be presented diagrammatically by con- 
necting the fed back boundaries: 




Again, behaviours of the fed back automaton are easy to calculate: 

Proposition 2 Let S: X x Y — > Y x Z be an automaton with boundary. To 
give a behaviour (3 of thy (S) is precisely to give a behaviour 7 of S such that 7 
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has the same appearance on the factor Y of the left boundary as on the factor Y 
of the right boundary. 



2.3.3 Product 

Given two automata S: X — * Y and T: Z — > W, we define the product of S 
and T, an automaton S x T: X x Z — > Fx W, in the obvious way - form 
the Cartesian product of the states (resp. motions) of S and T to obtain the 
states (resp. motions) of S x T, Note that the boundaries are likewise formed by 
Cartesian product - the product automaton has boundaries those of S and those 
of T. The labelling of motion (e, /) is obtained from the labellings of e and /. 
If each of S and T have initial states vq and wq respectively, we take (uq, wo) as 
the initial state of the product. 

The product models combining two automata in parallel with no communi- 
cation between them. As with binding, we note that the reflexive actions in the 
automata allow the automata to act independently. 

Diagrammatically, products are shown as follows: 



X 



Y 











T 





w 



Behaviours of the product are easily characterized: 

Proposition 3 Let S: X — > Y and T: Z — > W be automata with boundary. 
To give a behaviour P of S x T is precisely to give a behaviour 7 of S and a 
behaviour S of T . 

2.3.4 Structural Automata 

In addition to the operations on automata, there are a number of constant 
operations, or "structural automata" which are useful for constructing systems. 
Two examples of note are the identity on a given action set X (figure ^|) and 
the diagonal on a given action set X (figure |4|) . 



X ■ 



(x\x 



X 



Figure 3: The identity automaton on X 



The identity automaton on X has two boundaries of type X. It has a single 
state, and one motion for each action x of X, which is labelled by x on each 
boundary. The reflexive motion is the motion corresponding to the reflexive 



9 



action — EX. As its name suggests, the identity automaton is the identity for 
binding on X . One particular use of identities is to connect similar boundaries 
by a single wire in a composed system. 



The diagonal automaton on X has three boundaries of type X. It has a 
single state, and one motion for each action x oi X, which is labelled by x 
on each boundary. The reflexive motion is the motion corresponding to the 
reflexive action — EX. The diagonal automaton is useful for splitting a wire 
synchronously. 

2.3.5 Binding Philosophers and Forks 

The binding P ■ Q of a single philosopher and a single fork is shown in figure |^ 
- we have conserved space a little by abbreviating lock and unlock to 1 and u 
respectively. The initial state of the bound system is the state (0, u). There are 
several points to note about the bound system 

• Motions where the automata have synchronized have become internal 
motions (i.e., motions that perform trivial actions on both boundaries). 
In general, synchronizing two motions which perform trivial actions on 
all boundaries that are not being synchronized will produce an internal 
motion. 

• Not all states are reachable from the initial state. Thus one often considers 
the reachable subautomaton of a bound system. 

• The model allows for true concurrency, not just interleaving semantics. 
A motion of the bound system such as that labelled (1, 1): (0, u) — > (1, r) 
is truly concurrent, in that the philosopher and the fork change state 
simultaneously. 

The binding P ■ Q allows a philosopher and a fork to synchronize on their 
common boundary by locking and unlocking. 



X 




X 



Figure 4: The diagonal automaton on X 
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Figure 5: The binding of a philosopher and a fork 



11 



2.4 Designs and Systems 

The design diagrams we have given for the operations are more than a guide to 
the intuition behind the operations. These diagrams form a precise algebra for 
constructing designs. Given a stock of variables for automata with boundaries 
of given type, we can draw a diagram by juxtaposing automata and connecting 
boundaries with wires for the operations of binding, feedback and product - 
such a diagram is an expression for an automata, which can be evaluated given 
automata values for the variables. Such an expression is called a design. 



2.4.1 The Geometry of Designs 

Considering designs as expressions in a precise algebra with the operations of 
section 2.3, one should "parenthesize" such expressions to indicate the desired 
order of evaluation. 

Given two automata S: X — > Y and T: X — > Y, we say they are isomorphic 
if there is a bijection between states of S and states of T and a bijection between 
motions of S and motions of T which respect the source and target of motions 
and the labelling of motions on the boundaries. One can then prove propositions 
justifying the diagrammatic manipulations one would like to carry out, and 
alleviate the need to parenthesize diagrams in most situations. 



For example, one can easily prove that binding is associative (up to isomor- 
phism of automata). Given automata S: X — * Y, T: Y — » Z and U: Z — » W , we 
have that 
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where the dotted boxes indicate the order of binding. Symbolically, (S • T) • U 
and S ■ (T ■ U) are isomorphic. 

Thus we can draw diagrams when binding many systems with no risk of 
confusion. Of course, binding is not the only operation we consider, and one 
can prove propositions relating the different operations: 



Proposition 4 Given automata with boundary S: X — > Y and T: Y 
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have that 
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In symbols, the automata fby(5 x T) and S ■ T are isomorphic. 
The following result is termed the middle four interchange law: 

Proposition 5 Given automata with boundary S: X —> Y , T:Y — > Z , Q:U 

V , and R: V — > W , we have that 
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In symbols, the automata (S ■ T) x (Q • R) and (S x Q)-(T x R) are isomorphic. 



It is worth noting that the geometry of designs is a purely combinatorial 
geometry - the wires are a mechanism for denoting the connection between 
boundaries, and the curvature and crossing of wires has no effect on the geom- 
etry of the design. A precise combinatorial model of designs in an appropriate 
mathematical context shall be described in a forthcoming paper B . 
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2.4.2 Systems are designs with implementation 



By a system we mean a design together with an assignment of an automaton 
with boundary to each variable in the design, these assignments being compat- 
ible with the operations used to evaluate designs. An instance of a variable 
automaton occurring in a given design is termed a component of the system. 
Each system has an associated automaton, called the composite automaton, or 
the evaluation of the system, obtained by realising the operations of the design 
on the assigned automata in accordance with the definition of the operations in 



section 2.3 



While the evaluation of a system may in some sense be seen as the goal 
of design, inasmuch as the problem of design is to produce an automaton with 
specific properties, the system itself is far more important from the point of view 
of analysis. Retaining the design of the final automaton in the system allows us 
to utilise facts about the construction of the system in order to analyse it - in 
section B.3 we shall give an algorithm which uses design information to assist 
model checking. Given the effort typically devoted to design of a system in real 
world terms, it seems only rational that a theory of distributed systems retain 
designs as an element which is both precisely represented and capable of being 
computed with. For even though the ultimate (external customer) deliverable 
of a development effort is the compiled code (= evaluated automaton), a devel- 
opment effort is also expected to deliver a design to maintenance engineers in a 
usable (= analyzable) form. 



2.4.3 Subsystems 

Given a system, by a subsystem we mean some subset of the components of the 
system. Such a subsystem gives rise to an automaton via evaluation, we shall 
usually abuse terminology and use the term subsystem for this evaluation also. 

For both binding and product, the states of the constructed automaton are 
pairs of states of the automata being operated upon. In the case of feedback, the 
states are states of the fed back automaton. Hence each state of the evaluation of 
a system gives rise to a state of the automaton associated with each component. 
We shall refer to states of the automata associated with components as local 
states, and by contrast refer to a state v of the evaluation of the system as a 
global state of the system. 

Further, given a subsystem of some larger system, each state of the evalu- 
ation of the system gives rise to a state of the subsystem in the obvious way 
(subsystem states are tuples of the local states of the components which form 
the subsystem). We refer to a state of a subsystem arising in this manner as a 
local state of the subsystem. 

Similar remarks hold for motions and behaviours, and we shall thus use the 
terms local motion, global motion, local behaviour, and global behaviour for the 
corresponding concepts. 
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2.4.4 Dining Philosopher Systems 

For any n £ N, we can form the composite automaton fb^((P-(5)™) - this 
automaton has no boundaries, and models a ring of n philosophers with their n 
intervening forks. For example, figure ^ shows a design for a ring of three 
philosophers with their forks. This design, together with with assignment of P 
and Q to the automata of figures [j] and || respectively, comprise a system of 
dining philosophers. 





p 




Q 
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Q 
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Q 
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V J 



Figure 6: A ring of 3 philosophers and their forks 



2.5 Linear Automata 

A motion e of an automaton with boundary (S, (Xj, fiiji^i) is said to be linear 
if the action /Zj(e) performed by e on the i'th boundary is nontrivial for at most 
one t 6 J. The automaton S itself is said to be linear if every motion of S is 
linear. 

That is, a linear automaton is an automaton that interacts with at most one 
boundary in a given state. Linear automata have their boundaries decoupled, in 
the sense that they never require simultaneity on distinct boundaries. Another 
point of view is that linear automata are those modelling systems for which 
interleaving semantics are sufficient. 

We note that even if the automata S and T are linear, the binding S ■ T and 
the product S xT may be nonlinear. For example, the binding of a philosopher 
and a fork (each a linear automaton) produces the nonlinear automaton of 
figure H 

2.5.1 Linearizable Automata 

An automaton with boundary (S, (Xj, is linearizable if, for each mo- 

tion e: v — > w of S and given total order on /, we can find a behaviour 

ei e2 e„ 
v = w * vi ► . . . ► v n = w 

of S such that 

(i) each ek is linear 

(ii) if k, I € [n] are such that /Uj(efe) and [i>j{ei) are nontrivial and i < j in the 
total order on /, then we have k < I 
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(iii) if i £ I is such that /J>i(e) is nontrivial, then there exists a k £ [n] such 
that Hi(e) = Mi(efc)- 

where [n] denotes the set {1, ...,n}. Note that condition @ implies that 
distinct efe's cannot both perform nontrivial actions on the same boundary, 
i.e. that the existence in (fij) is unique. 

Less symbolically, linearizable automata are those for which any nonlinear 
motion e can be refined into a series of linear motions with any desired ordering 
on the actions carried out simultaneously by e. 

Given linear automata S and T, we observed above their binding and product 
need not be linear. It is however the case that they will be linearizable. A 
linearizable automaton can be linearized by considering only the linear motions. 
For example, linearizing the subautomaton of figure [5] reachable from the initial 
state produces the automaton shown in figure 0. 




Figure 7: The linearized reachable binding of a philosopher and a fork 



It should be noted that one cannot restrict attention solely to linear au- 
tomata, as the operation of feedback presented in section 2.3.2 is not well suited 
to linear automata - the only motions in a fed back linear automaton are those 
which are trivial on the fed back boundaries. Further, the structural components 
described in section 2.3.4 are not linear automata. 



2.5.2 Atomic Motions 



Consider a system in which each automaton assigned to variable of the design 
is linear. Given a global motion e of the system, we have a corresponding local 
motions e c for each component c of the system. We say that the global motion e 
is an atomic motion if 

(i) The local motions e c are nontrivial for at most two components. 

(ii) In the case that the local motions e c and e<j are nontrivial for distinct 
components c and d, then the components c and d have boundaries (X, /x^) 
and (X,fij) (respectively) which are joined by a wire in the design, and 
for which Hi{e c ) = fJ-j(e-d) is nontrivial. 
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That is to say, the atomic motions are those for which multiple components 
move nontrivially only in the event they are synchronizing on boundaries joined 
by the design. 

Given a system comprised of linear automata, the subautomaton of the 
composite automaton with all states but only atomic motions is termed the 
atomic core of the system. The atomic core restricts attention to those motions 
which are not fortuitously simultaneous. We shall use this notion when dis- 



cussing model checking for deadlock in section 3.3. We simply remark at this 



point that when considering a complete system, the atomic core allows sufficient 
motions to fully explore the system, in the sense that any state w of the system 
reachable from a state v is reachable via atomic motions. However, we cannot 
restrict attention to the atomic core prematurely, for feedback of systems relies 
on nonlocal simultaneity 



We shall not investigate linearity further at present, but merely note that 
one of the strengths of the theory presented here is that specific requirements 
for envisaged domains (e.g. interleaving semantics) can be carried as additional 
properties of, or structure on, the basic theory. Precisely what can be done to 
tailor the basic theory for application to a specific domain is an area for further 
interesting work. Further work on linear automata can be found in section 4.1 
of [jn| , including a connection with the process algebras of Hoare. 



3 Model Checking 

In this section we turn our attention to the problem of model checking - verifying 
that a given system has certain properties. The property we shall examine in 
detail is that of deadlock. We give an algorithm for finding a subspace of the 
state space of a given automaton, such that if the automaton possesses a dead- 
lock v, then the subspace possesses v. In the case of the dining philosophers, this 
subspace is only quadratically large in the number of philosophers. This result 
has also been achieved using stubborn sets (see pof ). We then indicate some 



examples where the algorithm does not give such a good result. In section 4.3, 
we shall show how to leverage the algorithm presented here to these cases using 
abstraction techniques. 

For the remainder of this section, we restrict attention to finite automata. 



3.1 Deadlock detection 

A state v of a automaton S: X — » Y is said to be a deadlock state if the 
only motion with source v is the reflexive motion. For example, if the com- 
posite of three dining philosophers and their forks (figure |^) is evaluated, the 
state (1, r, 1, r, 1, r) is a reachable deadlock. Naively, to check for a reachable 
deadlock in an automaton, one must examine every reachable state and deter- 
mine if it is a deadlock state. In the example of the dining philosophers, a ring 
of n philosophers has (4 x 3)™ states, of which 3" — 1 are reachable (for n > 2). 
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However, we can attempt to exploit the design of the system to simplify our 
search. The motivating case is the example of products of automata: 

Proposition 6 Let S: X — > Y and T: Z — > W be automata with given initial 
states vq and wq. If the product S x T has a reachable deadlock, then it has a 
reachable deadlock of the form (v* , w*) where v* is a deadlock of S and w* is a 
deadlock of T . 

Moreover, this deadlock is reachable by first considering those motions trivial 
in T , and then considering those motions trivial in S . 

The content of the proposition is that it suffices to check the subautomaton 
of states of the form (v, wq) or (v*, w) when searching for a reachable deadlock. 
In general, this subautomaton has a number of states bounded by #S + #T, as 
opposed to the #5 x #T states in the full product S x T. 

We define a strong deadlock analysis of an automaton S: X — > Y with initial 
state v to be a subautomaton T of S such that 

(i) T contains v 

(ii) If w is a deadlock state of S reachable from v, then w is in T. 

One could also consider the notion of a weak deadlock analysis, where the second 
condition is replaced by the weaker condition 

(ii') If a deadlock state of S is reachable from u, then T contains a deadlock 
reachable from v. 

Then the content of the proposition |6| is that the subautomaton of S x T with 
states those states (v, w) such that v — v* or w — u> , and motions all motions 
between these states, comprises a weak deadlock analysis of the product. If we 
include all states (v, w) such that either v is a deadlock of S or w — wq we 
obtain a strong deadlock analysis of the product. 

3.2 Introspective Subsystems 

Most systems of interest do not decompose as products as required for the 
deadlock analysis provided by proposition || - some coupling is required in order 
for distributed parts of the system to communicate and achieve a common goal. 
However, many systems of interest do "locally decouple" in the sense that parts 
do not spend their entire time in communication with each other, and generally 
restrict their interaction to specific parts of the system at specific times. 

Before presenting a notion of local decoupling appropriate to our theory, we 
mention again the example of the dining philosophers. Consider the reachable 
linearized subautomaton of the binding of a philosopher and a fork as shown in 
figure 0. From the state (3,/) we have a motion to (0, it) labelled (— |— ). Being 
an internal motion of the bound automaton and the only motion out of (3, 1), 
any behaviour from this state must use this motion, and the environment of 
the automaton cannot affect the viability of this motion. That is to say, the 
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philosopher and the fork have locally decoupled from the rest of any larger 
system they may be a part of. We would like to restrict our search for a deadlock 
by taking advantage of the fact this motion is independent of the action of the 
rest of the system. 

Given an automaton S with boundaries (Xi, /Ltj), and a state v of S, we say 
that S is watching or looking at boundary i in state v if there is a motion e: v — > w 
of S such that /x;(e) is nontrivial. Conversely, the automaton S is ignoring 
boundary i in state v if every motion with source v performs the trivial action 
on the boundary Xi. 

For example, the philosopher of figure [l] is watching the left boundary in 
states and 2, and watching the right boundary in states 1 and 3. The fork of 
figure H is watching the left boundary in states I and u, and the right boundary 
in states u and r. 

Proposition 7 Let S: X — > Y and T:Y — > Z be automata. Let v be a nondead- 
lock state of S such that S is ignoring Y in state v. For any state w ofT, if there 
is a behaviour of S ■ T with initial state (v,w) which leads a deadlock (v*,w*), 
then there is such a behaviour where the first nontrivial motion is trivial in T . 

Proof: Suppose, by way of contradiction, this were not true. Let (v, w) be a 
state of S ■ T such that a deadlock (v* , w*) is reachable from (v, w), but not by 
an initial nontrivial motion which is trivial in T. Let (3 be a behaviour of S ■ T 
with initial state (v, w) and reaching the deadlock. Write 

P = (V ,W a ) V (UljtOl) *■ {V2,W 2 ) ■ ■ .(V n ,W n ) = (V ,w ) 

where vq = v and wq = w. 

We claim some is a nontrivial motion of S. If not, then v n — v. Since v is 
not a deadlock state of S, there is some motion with source v, say e labelled (x\y). 
Since S is not looking at Y in state v, it must be that y = — is trivial. Hence 
we can extend [3 with the motion e in S and the trivial motion in T, and thus [3 
did not reach a deadlock state, contrary to choice of (3. 

Let k be minimal such that is a nontrivial motion in S. Note that fi is 
trivial for i = 0, . . ., k — 1. Thus 

vq = v 1 = . . . = 

The triviality of fi for i < k also implies that the action performed by fi on 
the boundary Y is trivial. The action performed by fk on the boundary Y is 
also trivial, since S is not looking at Y in state v. Thus, since gi synchronizes 
with fi, we have that the action performed by gi on the boundary Y is also 
trivial, for i = 0, . . ., k. 
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It is now evident that 



(v ,w Q ) = (v k -i,w Q ) 
{-,92) t 

(/fc+i,5fc+i) 



{fk, ■ 



(vk,Wk-l) 



(v k+ i,w k+1 ) 



{vk,w a ) 
{-,9k) 



(-Si) 



{Vk,Wi) 



(vk,Wk) 



K,w„) = (v*,w*) 



is a behaviour of S ■ T with initial state (v, w) that leads to the specified 
deadlock (v*,w*), and that has first motion trivial in T. Hence the desired 
contradiction. □ 
For a system with composite automata S and a global state v of S, a sub- 
system is said to be introspective at v if each component of the subsystem, when 
in the local state corresponding to v, is ignoring every boundary on which it 
connects to components not in the subsystem. 

Proposition 8 Consider a global state v of a system and a subsystem that is 
introspective at v but not deadlocked when in the local state corresponding to v. 
If a deadlock of the system is reachable from v, it is reachable via a behaviour 
whose first nontrivial motion is trivial outside the given subsystem. 

Proof: Using the algebra of designs, organize the system as a composite of the 
given subsystem and its complement: 



Introspective 
Subsystem 



Rest of 
System 



Now apply proposition ^ to the composite of the evaluation of the two subsys- 
tems. □ 
Given an introspective but not deadlocked subsystem at each global state v 
of the composite automata S of a system, we can apply proposition || repeatedly 
to produce a strong deadlock analysis by including only those motions of S which 
are trivial outside the introspective subsystem associated with their source, and 
including only those states which are reachable from the initial state of S via 
the included motions. 



3.3 Minimal Introspective Subsystem Analysis 

It may be that, for a given design, the introspective subsystems are obvious, or 
designed in to the system so as to provide for more efficient checking. However, 
it is also desirable to automatically check a given system for absence of deadlock, 
exploiting the known design of the system to reduce the state space explosion 
associated with exhaustive model checking. 

The idea of minimal introspective subsystem analysis is to guide the explo- 
ration of the state space via proposition K More precisely, we construct the 
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deadlock analysis of a given system suggested at the end of the the previous 
section as we explore the state space, by choosing a minimal introspective 
subsystem at each state. 

Let us fix for discussion a system with composite automaton S. Given a 
global state v of S and a component of the system, we can examine the automa- 
ton assigned to the component to determine which boundaries the automaton 
is looking at in the local state corresponding to v. 

Given this information for each component and the design of the system, 
it is a simple matter to construct a non-deadlocked minimal introspective sub- 
system at v — consider the directed graph with vertices the components and 
edges indicating that the component represented by the source is looking at the 
component represented by the target, and flood fill along edges from each vertex 
to find introspective subsystems. 

This process determines, for each component, the minimal introspective 
subsystem containing that component. If the global state v is not a (global) 
deadlock, then some nontrivial motion is possible. Hence at least one compo- 
nent, and thus the introspective subsystem containing it, is not deadlocked. We 
select the smallest of these subsystems which is not deadlocked in the local state 
corresponding to v. 

We then explore the states of S only along motions which are trivial outside 
the selected minimal introspective subsystem, looking for deadlock - proposi- 
tion ^ guarantees that a reachable deadlock is reachable via a motion trivial 
outside the introspective subsystem. By maintaining a list of visited states, we 
can ensure the algorithm terminates. 

In the event the automata assigned to variables of the design are linear, it 



suffices to explore the states of S only along atomic motions (see 2.5.2) - in this 
case restricting to the subautomaton including only atomic motions does not 
alter the reachability of states. 

3.3.1 Minimal Introspective Subsystem Analysis of Dining Philoso- 
phers 

Let us consider the system consisting of a ring of n philosophers and their n 
intervening forks. Since each automata used in the system is linear, we can 
restrict our attention to atomic motions. We shall now walk through the appli- 
cation of the minimal introspective subsystem analysis algorithm proposed in 



section 3.3 for this system. 

Initially, each philosopher is looking at the left boundary, and each fork is 
looking at both boundaries. So the only introspective subsystem is the entire 
system, giving n atomic motions to be explored (each motion being one for 
which a given philosopher acquires their left fork). 

Each state reached next has precisely one philosopher having obtained their 
left fork. Let us consider the state in which the philosopher Pj has acquired his 
left fork. At this point, we see Pi is now looking at his right boundary, and P-i 
is looking at her left boundary, and the fork Pi is looking at both boundaries. 
These three components thus form an introspective subsystem as required. A 
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moments thought shows that it is minimal, and a moments more that it is the 
only minimal introspective subsystem. There are only two nontrivial atomic 
motions in this subsystem - either P\ acquires the fork or P 2 acquires the fork. 

In the former case, the system comprised of Pi and his left fork now consti- 
tute a minimal introspective subsystem - the philosopher is in state 2 attempting 
to relinquish the left fork, and the left fork is in state r having being acquired 
by the philosopher on its right. The single nontrivial atomic motion of the 
subsystem is to relinquish the fork. Following this, and by a similar analysis, 
the philosopher relinquishes his right fork. The system has now returned to the 
initial state, which is marked as checked. 

In the latter case of P2 acquiring the fork Fx, we apply similar reasoning 
to the competition between P 2 and P3 to acquire P 2 , as these three systems 
once again comprise the unique minimal introspective subsystem at the global 
state under consideration. In exploring the case that P2 is successful, she will 
proceed to relinquish her left and right forks, and we return to the state where 
she is competing with P\ . In exploring the case P3 is successful we examine the 
subsystem comprised of P3, P3 and P4. 

The algorithm continues in this manner, obtaining a minimal introspective 
subsystem comprising two philosophers and their intervening fork at each stage, 
and progressing in two ways - allowing one philosopher to run to completion, or 
moving to the competition for the next fork around the table. Eventually the 
deadlock in which each philosopher has acquired their left fork is found. 

It is evident that after the initial state, we explore 3 states for each philoso- 
pher (as it moves through states 1, 2 and 3) bar the last. The exploration stops 
when the last philosopher acquires his left fork, and hence each philosopher has 
acquired their left fork and the system is deadlocked. Potentially then, we are 
required to explore the initial state, the final deadlock state, and 3(n — 1) for 
each choice of the initial n motions. Thus in 2 — 3n + 2 states are explored, a 
significant reduction on the 3™ — 1 reachable states in the system. 

This result has been described using stubborn sets in p9| , where the same 
polynomial for the number of states checked is computed. 

It should be noted that there are systems very similar to the dining philoso- 
phers in which the above algorithm does not reduce the checking to a polynomial 
number of states. Replacing the philosophers by either the system shown in 
figure ^| or figure ^ results in a system for which the above algorithm searches 
an exponential number of states. 

The alternative philosopher I, shown in figure ||, may be termed the nonde- 
tcrministic philosopher. In this case, minimal introspective subsystem analysis 
of the composite system must check two branches as the minimal introspective 
subsystem under consideration moves around the table. Informally then, we see 
that an exponential number of states will be checked (although still significantly 
less than the total number of states of the system) . 

The alternative philosopher II, shown in figure |9|, may be termed the double 
cover philosopher. In this case, when the philosopher returns to the state of 
wishing to acquire his left fork in the first instance, he is in the local state 4, 
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Figure 8: Alternative Philosopher I 



(lockl-) (-llock) (unlockl-) 

— ——^1 — — —*~2 — —+3 



(— |unlock) 



(— | unlock) 



6- 



(unlock|-) (-|lock) (lock|-) 



Figure 9: Alternative Philosopher II 



and not a searched state as in the basic example. Thus the algorithm arrives at 
many distinct states in which the minimal introspective subsystem is the entire 
system. There are 2™ reachable global states of this form, and it can be argued 
that the algorithm proposed above will visit all of them. Informally then we 
again have a situation where an exponential number of states are checked. 

It is worth noting that both the nondeterministic and double cover philoso- 
phers can be abstracted to the philosopher of figure |l| in a sense which is made 



precise in section 4.2. This abstraction allows us to use the strong deadlock 



analysis with only polynomially many states to check the more complex systems 



(see section 4.3) 



In this section we have outlined the principles of model checking for deadlock 
as manifested in our theory, and presented a very simple algorithm for reducing 
state space explosion in model checking. It should be emphasized that although 
simplistic, the algorithm does have demonstrably good behaviour on a particu- 
lar system, and importantly exhibits the principle of using design information 
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retained by our calculus to assist in the process of model checking. 



4 Simulation 

In this section we introduce a compositional notion of simulation of automata 
which has a close relation to work on simulations and bisimulations (see jy , |Q| , 
and J8|). We will also indicate how simulations can be used to facilitate model 
checking. 



4.1 Comparison of Automata 

We begin by defining reflexive graph morphisms. Denote a reflexive graph G 
by the pair (V, E) comprising its set of vertices V and its set of edges E. 
A reflexive graph morphism / from G = {V, E) to G' = (V',E') consists of 
functions fv'-V — + V and Je'-E — > E' such that sources and targets of edges 
are preserved, as are reflexive edges. 

Suppose (S 1 , (Xi, Hi)i£i) and (T, (Xj, are two automata with the same 

boundary action sets (Xi) ie j. A comparison f from S to T is a reflexive graph 
morphism / from S to T which preserves the actions on the boundaries - that 
is, for each i £ I, we have i>\ ■ f = fii. We shall term the function comprising 
the action of / on states the state map, and the function comprising the action 
of / on motions the motion map. 

When we are writing automata in the form X — ► Y (as two boundary au- 
tomata), such a comparison is denoted f:S^~T:X^Y, although typically we 
shall just write /: S => T as the boundaries will be understood. In this section 
we will consider automata equipped with an initial state, and comparisons are 
asked to preserve initial states. 



For example, let P: L — > L be the philosopher described in section 2.1.3 
(figure |l|), let P': L — > L be the alternative philosopher I depicted in figure |£] 
and let P" : L — > L be the alternative philosopher II depicted in figure [| There 
are unique comparisons p:P' P. q:P" => P and r:P" => P', and these 
comparisons preserve the initial vertex 0. 

Action sets, automata and comparisons form what is known as a discrete 
Cartesian bicategory (see jj)). Rather than recalling the definition of this com- 
plicated algebraic structure, we will only consider the operations relevant to this 
paper; namely, composition, binding, feedback and product of comparisons. 



4.1.1 Composition 

Given automata 7?, S, and T: X —> Y , and comparisons f:R^S and g: S => T, 
we define the composite comparison g» f: R =>- T. The composite has state map 
the composite of the state maps of / and g and motion map the composite of 
the motion maps of / and g - both these latter composites being the usual 
composite of functions. It is routine to check that the composite, so defined, is 
a comparison R =>■ T . 
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In categorical terms, this composite is simply the composite of / and g in 
the category of reflexive graphs. In fact, for any two action sets X and Y we can 
form a category Aut(X,Y). Its objects are automata of the form S:X — > Y 
and its arrows are comparisons between these automata. 



4.1.2 Binding, feedback and product 



We now describe how the operations on automata described in section 2.3 also 
apply to comparisons. In each case, the data for the operations consists of 
comparisons between data suitable for the corresponding automata operation. 

Given automata S and T: X — > Y and automata U and V:Y — > Z, together 
with comparisons /: S =>■ T and g: U =>■ V, we define the binding of / and g — a 
comparison / • g: S ■ U => T ■ V . 



As described in section 2.3.1, the state space of S ■ U has states consisting 
of pairs (v, w) with v a state of S and w a state of U , and motions consisting 
of pairs of motions performing the same action on the common boundary. The 
comparison / ■ g maps the state (v, w) by mapping v as f does, and w as g does, 
with the obvious extension to motions. 

The fact that / and g respect the actions of motions on boundaries implies 
that / • g maps motions of S ■ U to motions of T ■ V, and it is routine to check 
we have defined a comparison. 

Given automata S and T: X x Y ^ Y x Z and a comparison f:S=>T, we 
define the feedback of / - a comparison f by(f)'- fby(S) => f by(T). 

The state space of fby(S) is that of S, but with motions only those that 
perform the same action on the two boundaries of S of type Y. Since / preserves 
the actions on boundaries, the image of such a motion under / is a motion of T 
performing the same action on the two boundaries of T of type Y . Thus the 
comparison / restricts to a comparison between the fed back automata, and this 
latter comparison is fb-^(/). 

Given automata S and T: X — > Y and automata U and V:W — > Z, together 
with comparisons f:S^T and g: U V, we define the product of / and g - a 
comparison fxg: SxU^>TxV. 

The product / x g has state (resp. motion) map the product of the state 
(resp. motion) maps of / and g. That is, it operates on the state space of S x U 
componentwise . 



4.2 Simulations 

If S; X — > Y is an automaton, let S: X — > Y denote the reachable subau- 
tomaton of S. Note that to give a comparison /: S => T is just to give a 
comparison f:S^>T. 

By a simulation f from S: X — ► Y to T: X — » y we mean a compari- 
son f:S^T such that / satisfies the following 'lifting property': for all states v 
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of S and all motions e: f(v) — > w in T, there exists a (finite) behaviour of 5 

eo ei e„ 
u = w «i ■ ■ • V n+ i 

such that 

(i) for < i < n — 1, the motion /(ej) is the reflexive motion at f(v) 

(ii) /(e„) = e 

We say that the automaton T simulates S via /, and write /: S ~-> T: X — » Y , 
or merely f:S"~>Tif the boundaries are understood. 

In light of this definition, we should revisit our view of reflexive motions as 
idling motions. More precisely, we emphasize that reflexive motions are idling 
at the level of abstraction of the automaton. When abstracting automata - that 
is, constructing comparisons and simulations - we may have cause to abstract 
away internal motions which are not germane to the analysis task at hand. Thus 
reflexive motions may be thought of as representing motions unimportant at the 
level of abstraction of the automaton, and not necessarily a strictly idle state of 
the process being modelled. 

The proof of the following proposition is straightforward. 

Proposition 9 If there is a simulation f:S~~>T then S and T have the same 
set of reduced appearances. 

Of course, in the above proposition, we are only considering behaviours 
beginning at initial states. For the connection between this notion of simulation 
and notions of observational equivalences such as (It]], the reader is referred 
to || and @. 

The comparisons of philosophers p: P' =>■ P, q: P" =>■ P and r: P" P 1 
mentioned above are examples of simulations. One class of trivial (but, never- 
theless important) simulations is provided by the subautomata reachable from 
the initial states. That is, for every S: X — > Y, the identity graph morphism of 
S provides a simulation l-g'.S^S. 

Proposition 10 Suppose f:S^-*Tisa simulation. If v is a reachable deadlock 
of S then f(v) is a reachable deadlock of T . 

The above proposition indicates that simulations may be used for detecting 
deadlocks: given an automaton S we try to find a simulation f:S^T where T 
has significantly less states than S (that is, T is a quotient of S); we then look 
for deadlocks v in T; if T has no deadlocks, we conclude that neither does S; 
and if there are deadlocks v in T, we check to see if there are any among the 
states w G / _1 (t;) of S. We give an example of this process at the end of this 
section. 

Action sets, automata and simulations also form a discrete Cartesian bicat- 
egory. The operations composition, binding, product and feedback of compar- 
isons induce the same operations on simulations. 



26 



4.2.1 Composition 

Given simulations f:R ~> S and g: S ~> T where i^S 1 , and T:A — > 1" are 
automata, there exists a simulation gmf-.R^* T called the composite of / and g. 

The composite is formed by composing the comparisons R=> S and S => T 
being the data provided for / and g. The requisite lifting property is easily 
established by first lifting via g, and then lifting each component of this lifting 
via /. 

As was the case with comparisons, for any two action sets X and Y we can 
form a category; namely the category Sim(A, Y) whose objects are automata 
with left boundary X and right boundary Y and whose arrows are simulations 
between these automata. 

4.2.2 Binding, feedback and product 

Given automata S and T: X — > Y and automata U and V: Y — > Z, together with 
simulations f:S^>T and g:U ~» V", we define a simulation f ■ g: S ■ U ~» T • V 
called the binding of / and 

Given a state (w, to) of S -U, it is clear that u is reachable in 5 and to is 
reachable in U. Applying / to v and g to to thus yields a pair of states, and the 
reachability of (v,w) implies this image pair is reachable in T ■ V. This defines 
the state map of / • g. The motion map is similarly obtained from / and g. 

The lifting property is obtained by lifting componentwise. Without loss of 
generality, the lifted paths have the same length (if not, extend the shorter path 
by prepending reflexive motions). All but the last motion in each lifting has 
a reflexive image, and thus will be a motion of S ■ U . The images of the final 
motion in each lifting perform a common action on the boundary Y, since we 
are lifting a motion of T ■ V. Thus, since / and g are comparisons, the lifted 
motions also agree on their actions on the common boundary. 

Given automata S and T: X x Y ^ Y x Z and a simulation f:S~~> T, we 
shall construct a simulation f by (/): f by (S) ~> f by(T) called the feedback of /. 

Given a state v of fby(S), we have a path from the initial state of S to v 
consisting only of motions performing the same action on the two boundaries of 
type Y. Such v is clearly a state of S, and applying / then gives us a similar 
path in T, and we see that / induces a comparison as required. 

As in the case for binding, the lifting property follows from the property 
for / together with the fact that motions with reflexive image clearly perform 
the same action on the two boundaries of type Y, and the final lifted motion 
agrees after application of / and hence before it, since / respects the actions on 
boundaries. 

Given automata S and T: X — > Y and automata U and V:W — > Z, together 
with simulations f:S~~>T and g: U V, we define the product of / and g, a 
simulation fxg: SxU^TxV. 

Observe that S x U = S x U, and thus the product of the comparisons 
underlying the simulations / and g yields a comparison to under ly / x g. The 
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lifting is performed componentwise, extending the shorter path by prepending 
reflexive motions if required. 

It is a crucial aspect of the theory that the operations on designs lift to 
operations on simulations. Thus, given a design, we can abstract parts of the 
design (i.e. simulate them with simpler systems) and produce abstractions of 
the whole system. In the next section we shall indicate how this can be used to 
support model checking in the concrete example of the dining philosophers. 



4.3 Simulations and Dining Philosophers 

We now indicate how simulations may facilitate the task of model checking. 



Consider the two alternative dining philosophers presented at the end of 
section 3.3.1 (figures |^ and ^|). As noted there, the sizes of the state spaces of 
these systems which are explored by minimal introspective subsystem analysis 
grow exponentially with the number of philosophers n. 

Using these alternative philosophers with the design of the usual dining 
philosopher systems, we may construct corresponding systems fb^((P' • Q) n ) 
and fbj,((P" • Q) n ). We have already noted, however, that there are two sim- 



ulations p: P' ~> P and q: P" ~» P. Thus using the operations of section 4.2.2 
we can construct simulations 



p = fb L ((p ■ IqT): fb L ((P' ■ Q) n ) -v fb L ((P ■ Q) n ) 

and 

q = fb L ((q ■ %)"): fbi((P" • Q) n ) - fb L ((P • Q) n ). 

Now apply the minimal introspective subsystem analysis to the standard 
philosopher system (recall the explored state space grows only quadratically with 
the number n). This analysis will find the unique deadlock d of fb^((P • Q) n ). 



Recall from section 3.3.1 that this state d corresponds to each fork being in 
state r and each philosopher being in state 1. 

We now know that the only deadlocks of the alternative philosopher systems 
are contained in and q^ 1 (d). It is easy to calculate these sets of states - 

for example, a state in p~ 1 (d) corresponds to each fork being in state r and each 
philosopher being in state 1 or 1'. In fact, each v G p^ 1 (d) and each w £ <7 -1 (rf) 
is a deadlock of fb^((P' • Q) n ) and fb^((P" • Q) n ) respectively, and these are 
the only deadlocks of these systems. 



What if we want to analyse the dining philosopher system for arbitrary nl 
With the use of software tools (such a tool is currently being specified and 
prototyped by the authors), it is reasonably straightforward to construct an 
automaton R : L — » L, together with a pair of simulations fa: (P ■ Q) 2 ~* R 
and f:P-Q-R^R. 
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The compositionality of simulations allows us to deduce that for any n > 2, 
there is a simulation /„: (P ■ Q) n ~> R. We define, inductively, for n > 2 

fn+i- (P ■ Q) n+1 =P-Q{P- Q) n ^PQR^R 

where the first simulation is l^g • fn and the second simulation is /'. 

In other words (from the the point of view of observational equivalence and 
checking for deadlocks) we can replace a composed sequence of philosophers and 
forks of any length by the simple system R. 

In the case of checking the dining philosopher system for deadlocks, we first 
form the simulation g = fbi(/„): fb^((P • Q) n ) ~> f bi(i?) and then note that 
the automaton f b^(-R) has a unique deadlock c. It is easy to check that the only 
vertex v of fb^((P ■ Q) n ) with the property that g(v) = c is that corresponding 
to each philosopher being in state 1 and each fork in state r, allowing us to 
conclude that this is the only deadlock of fb l((P ■ Q) n )- 



5 Further Examples 

In this section we shall present two further examples of systems composed from 
automata with boundary. We model a scheduler, which is responsible for en- 
suring certain execution order properties in a collection of concurrent systems. 
We also present a model of processes communicating via a channel, and indicate 
how communication protocols may be modelled as systems of automata with 
boundary. The goal of this section is not to present any deep insights into the 
systems we model, but to demonstrate the expressive power of the methodology, 
and the process of design within the methodology. 



5.1 Scheduling 

We have in mind a system which controls the execution of a number of processes 
in order to meet certain specifications. Each process has a certain part of its 
execution, called the controlled section, which is of interest to the scheduler. 
This system is also used as an example of the calculus described in fl6| . 

Our processes P\ 1 . . ., P n each have one boundary, over which they will 
communicate with the scheduler. We shall write C — { — , begin, end} for 
the action set of these boundaries - the process synchronizes with a begin 
to indicate it is entering its controlled section, and synchronizes with a end to 
indicate it is leaving its controlled section. Every behaviour of each process must 
alternate begin and end actions on its boundary. We shall model the processes 
then with an automaton as shown in figure Ru. 



In light of proposition |10| and the constructions of section 4.2.2, any analysis 
we perform on systems involving P for deadlock will lift to the corresponding 
systems using more complex processes, provided only that these processes are 
simulated by P. 

In fact, one could argue that the property of being simulated by P can be 
taken as a definition of the kind of process we are interested in - for the existence 
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begin 




end 





Figure 10: A process P with a controlled section 

of such a simulation says precisely that the process has states of two kinds (those 
mapping to and those mapping to 1), and that it transits between these states 
by actions observable on the boundary as begin and end. 

5.1.1 Design of the Scheduler 

A scheduler S for n processes of this kind has n + 1 boundaries, each of type C. 
The scheduler will be connected to the processes Pi on n of its boundaries, 
with the last boundary being reserved for control of the scheduler - allowing an 
external agent to start and stop the scheduler. 

We shall construct a scheduler which forces the processes to begin their 
controlled sections in a fixed, cyclic, order. That is to say, we wish to control 
the processes such that in a global behaviour of the system, the first nontrivial 
local motion of one of the process components Pi is begin by Pi. The next 
nontrivial local motion by a process component is begin by P2, and so on. 

Following the design of Jl6| , we shall construct the scheduler from a number 
of smaller automata. We shall use n copies of an automaton N, called a notifier. 
Each notifier starts a single process and records the completion of its controlled 
section. We also have a single master automaton M, which responds to outside 
control. The notifiers will pass a token around a circle. When receiving the 
token, a notifier ensures its process begins its controlled section, and then passes 
the token on. The master automaton hands the token out when it begins, and 
will only end when it holds the token, at which point it will not pass it on until 
another begin action occurs. 

Each notifier is a copy of an automaton N, which has a boundary of type C, 
and two boundaries of type G — { — ,go} over which they will synchronize with 
each other. The notifier is shown in figure [TT] - and edge labelled (a|6|c) indicates 
the action a on the left boundary G, the action b on the lower boundary C, and 
the action c on the right boundary G. 

Beginning in state 0, a notifier waits for a go from its left hand side. It begins 
its process, and then passes the go to its right side. At this point, it waits to 
synchronize with a go from its left and a end from its process, before allowing 
the process to start again. 

The master M likewise has a boundary of type C, and two boundaries of 
type G. It is shown in figure [l^, with the same labelling convention as the 
notifier. 

When the master receives a begin on its control boundary C, it sends a go 
to the right, and then waits for a go on its left. After receiving the go, it either 
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Figure 11: A notifier N 



passes it on or ends, at which point it must begin again before passing go to 
its right. 

The scheduler proper is then constructed by composing n notifiers and 1 mas- 
ter in a cycle. The resultant automaton has n + 1 boundaries of type C. The 
n boundaries arising from the notifiers are connected to the processes we wish to 
control. The remaining boundary, arising from the master, is connected to the 
external control mechanism. Figure [lj| shows the design of the final composite 
in the case n = 3. 

In order to analyse this system below, we shall close the final boundary by 
binding a controlling process (an automaton of the form of P) to the remaining 
boundary of this design. 



5.1.2 Analysis of the Scheduler 

We shall now briefly indicate how one could analyze the scheduler system using 
the methodology described in this paper. 

Consider the design of the system as shown in figure |l3|, and with an addi- 
tional controlling process P bound to the remaining boundary. 

We begin by evaluating the binding N ■ P. We shall not draw this binding 
in full, but we note that it is simulated by the automaton Q shown in figure [l4]. 

Thus the binding N ■ P is simulated by a system which performs the go 
action on its boundaries alternately. The image on the initial state under the 
simulation is the state in the automaton Q. 

Now consider the master system. When bound with a controlling process of 
the form of P, the resultant system is also simulated by Q, although this time 
with initial state having image 1 in Q. 

Thus the evaluation of the system of figure [l^ is simulated by a ring of n + 1 
copies of Q, with initial state having precisely one copy of Q in the local state 1. 
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Figure 12: The master M 



It is easy to see the evaluation of such a system is isomorphic to the automaton 
with states length n + 1 cyclic strings of Os and Is, and motions being those 
which replace a 10 substring with a 01 substring. Consider the subautomaton 
reachable from an initial state being a cyclic string containing precisely 1 local 
state of 1: This is clearly a (graph theoretic) cycle of n + 1 states. Hence the 
system is deadlock free. 

By keeping track of the simulations indicated in the preceding discussion, 
one can deduce more from the constructed simulation, including the desired 
behaviour in terms of the order of entering the controlled section for each 
controlled process. 



5.2 Communication Protocols 
5.2.1 Notation 

For this section, we shall introduce an abbreviated notation for drawing au- 
tomata which allows for easier depiction of automata where many states are 
similar. 

As described here, the notation merely gives a compact representation of 
certain automata of interest. However, the authors intend to more fully explore 
this notation, with a view to allowing specification of automata using abstract 
data types via the interpretations of [^1| and ||. 

Let us consider an automaton X — * Y. Our pictures will be graphs, with 
the following additional data: 

1. associated to each vertex is a given a set V. We typically abuse notation 
by denoting and referring to the vertex as V, provided no confusion arises. 

2. associated to each edge V — > W is a subset of X x V x W x Y. We shall 
denote the subset by a label (x(i)\v(i) — > w(i)\y(i)) where i ranges over 
some (typically implicit) indexing set. 
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Figure 13: The design of a three process scheduler 
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Figure 14: An automaton Q simulating N ■ P 



An automaton is associated with such a graph as follows: A vertex denoted V 
indicates a set of states indexed by V; an edge labelled (x(i)\v(i) — > w(i)\y(i)) 
indicates a family of motions v(i) — > w(i) labelled x(i) on the boundary X 
and y(i) on the boundary Y. 

For example, given a set M of messages, let us write M~ for the boundary 
obtained by adjoining a trivial action to M. Figure |l5| shows an automaton 
with boundaries X — M~ and Y = M ~ . The automaton has M + l states, and 
nontrivial motions of two kinds: 



1. from the lone state of 1 to each state of M, this motion being labelled by 
the target state on the left boundary, and — on the right boundary, 

2. from each state of M to the lone state of 1, this motion being labelled 
by — on the left boundary and the source state on the right boundary. 

Such an automaton is a simplistic delayed message passer - it synchronizes 
with its left boundary to obtain m E M (storing it internally by moving to an 
appropriate state), and then synchronizes with its right boundary to pass m on 
(and forgetting the m in the process) . Considering the definition of binding of 
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automata, we note that this automaton is incapable of losing messages - bound 
systems synchronize on the boundary actions which represent passing/receiving 
a message to/from the automaton. 





(rn \*—>7n\—) 






1 ^z^zm^ M 

(— \m— **\m) 





Figure 15: A message passer automaton 



5.2.2 Channels 

By a channel C of type M, for a given set of messages M, we mean an automa- 
ton C: M~ — > M~ . We have in mind that an action m being performed on the 
left boundary is sending the message m down the channel, and some time later 
the right boundary will perform the action m as the message emerges. However, 
we do not require these properties of a channel, as we wish to model channels 
which may lose, modify or reorder messages. 

Given the above discussion of the message passer, we note that a synchro- 
nization with a channel is considered to be a tightly coupled interaction whereby 
the channel accepts a message from its boundary. Synchronization occurs when 
a message is transferred across the boundary. That is, our I/O is fundamentally 
blocking I/O. 

Non-blocking I/O is modelled by having a automaton which can receive 
messages in any (or almost any) state. We note that this is an accurate model of 
non-blocking I/O. Such I/O is not distinguished in that it does not synchronize, 
but rather in that it synchronizes locally - that is, with lower layer processes in 
the local communication library rather than with a distant system. 

To reconcile the tightly coupled nature of the synchronization in the binding 
operation with our desire to model channels which lose messages, we construct 
channels which literally lose messages - it is a property of the channel that a 
message which enters it may not emerge. By explicitly modelling that part of 
the system that loses messages, we can provide precise analyses of whether or 
not certain protocols lose messages. 

Such a channel is shown in figure EM This is a channel of type M , which we 
shall refer to as a capacity 1 channel. If the channel is empty (in the state 1), 
an input transition of m results in the message m being stored (in one of the 
states M). This can later be read by an output transition, and the channel 
returns to the empty state. Any input messages supplied to the channel while 
it is full are simply lost. 

Precisely speaking, we may consider any sequence a of actions on the left 
boundary of the automaton. For any behaviour of the automaton with re- 
duced appearance on the left boundary being the given sequence er, the reduced 
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Figure 16: A channel of capacity 1 



appearance on the right boundary is a subsequence of a. Further, there exists a 
behaviour for which the reduced appearance on the right boundary is precisely 
the sequence a. 



5.2.3 Protocols 

By a protocol P of type M implemented on a channel of type N, we mean a 
pair (5, R) of automata, called the sender S: M~ — > N~ and the receiver R: N~ — 
M~ . Given a channel C of type N, we can construct the channel S ■ C ■ R. 

This latter channel is what is usually termed the virtual channel provided 
by the protocol. Given the definitions of this paper, it is in fact a channel, no 
less real for the fact it is built from simpler automata. The authors suggest the 
term "designed channel" to distinguish the latter channel from the former. A 



composite of this kind is shown in figure 17 - the term virtual channel arises 
by thinking of the dotted line in the upper diagram as a direct connection; the 
author's point of view is that the dotted box in the lower diagram shows a 
designed channel constructed from the protocol and underlying channel. 

One goal of protocol design is to construct the automata S and R in such 
a way that this virtual channel has better properties than the underlying chan- 
nel C. Typically, we wish to show that given certain properties of the channel C, 
the virtual channel S ■ C ■ R has certain other properties. 

More generally, we may state the problem of protocols as follows: Given a 
family of channels d, a desired channel type M, and requirements on the be- 
haviours of the desired virtual channel, we need to construct automata S: M~ — > 
N~ and R: N~ — > M~ such that the channel S ■ C ■ R has the desired properties 
for some C: N — > N selected from our family Cj. Note that the family Cj models 
"the sorts of channels available to us at this level of abstraction" , and would 
typically be described as the closure under certain operations of certain basic 
channels - for example, any channel which is a product of capacity 1 channels 
of any type. 



5.2.4 Message Acknowledgement 

Given that the capacity 1 channel can lose messages, we might ask to establish 
a virtual channel solving this problem. One solution is to acknowledge sent 
messages. We shall use a channel from the receiver to the sender of type A = 
{ack} to carry the acknowledgements. That is, we shall build a virtual channel 
of type M from a channel of type N = M X A + M + A. Note that the type N 
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Figure 17: Virtual vs. designed channel 



of this channel should be thought of as the the product of the types M and A 
in the sense that N~ = M~ x A~ . 

The sender and receiver automata S and R are shown in figures H| and H 
respectively. 
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Figure 18: Sender S for Message Acknowledgement Protocol 



One can easily evaluate the binding S ■ R to determine the behaviour of the 
message acknowledgement protocol over a perfect channel. 

However, we wish to analyze the protocol over a pair of capacity 1 channels 
running in opposite directions - a channel of type M from S to R and a channel 
of type A from R to S. The design of the system we wish to analyze is shown 
in figure |2(i| . 

Given an automaton S:X — > Y, the automaton S op :Y — > X is constructed 
by interchanging the boundaries - we may call S op as the opposite of 5. Thus 
the channel of interest in this context is the product Cm x C^ p of a pair of 
capacity 1 channels of type M and and A respectively (running in opposite 
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Figure 19: Receiver R for Message Acknowledgement Protocol 




Figure 20: The design of the message acknowledgement protocol 



directions). Note that design diagram of figure [20|need not mention the opposite 
explicitly - the required connections being expressed by appropriate wires. 

Our goal now is to explain why the channel so constructed meets the design 
goals - that is, has only behaviours which have identical reduced appearances on 
each boundary. We do this by evaluating the design of figure 20 - the reachable 
part is shown in figure 21. 



message passer of figure 



ft is clear that this channel is simulated by the 
15 - map the states in the top row to the unique state 
of 1 in figure |15|, and map the states in the bott om row to the corresponding 
states of M in figure [D| Proposition || of section L2 now provides the desired 
result. 

What happens if the channel of type M being used is not capacity 1, but 
may in fact lose messages arbitrarily. Such a channel would be modelled by 
an automaton similar to that of figure [H| but with an additional transition 
labelled (m|* — » *| — ) from the state 1 to itself. One can readily evaluate the 
design of figure ^ using this channel in place of Cm, and with a correspondingly 
modified channel in place of Ca- The result is the automaton of figure B3. In 
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Figure 21: Message Acknowledgement Protocol over capacity 1 channels 



this case the system deadlocks if a message or an acknowledgement is lost. 
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Figure 22: Message Acknowledgement Protocol over lossy channels 

To repair this defect one typically uses timeouts and retransmission, but 
the analysis of such protocols, while of direct interest to the authors, is beyond 
the goals of the current paper. It is observed however, that timeouts could be 
modelled in the theory of automata with boundary by using timeout motions 
in the sender and receiver automata. 



6 Conclusions and Future Directions 

We have presented the basic theory of automata with boundary, together with 
examples designed to elucidate the presentation and show the scope of the theory 
described here. It is important to reiterate that the theory provides an algebra 
for constructing systems from primitive elements. One of the crucial aspects 
of this theory is the attempt to capture the design of a system as a precise 
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theoretical element, distinct from the system itself and its implementation. 

The underlying mathematical formalism of the approach has been explored 
in |1, |)J, |[(|, and p^ |, and the interested reader is referred there. There is 
still work to be done in clarifying some details of the mathematics appropriate to 
the model, for example Q and other papers in preparation by the authors. We 
note also a precise description of the application of the bicategory Span(Graph) 
to the domain of asynchronous circuit design is given in jl4j and ]23[ ] . 

We have proposed an algorithm for model checking systems for deadlock 
which fits comfortably with the theory, and illustrates the principle that incor- 
poration of designs as an element of th e theory has benefits in other areas. As 
noted at the conclusion of section 3.3.1 , this algorithm is simplistic and does not 
always perform well - more work in understanding the applications, limitations 
and possible evolution of algorithms based on these ideas is clearly warranted. 

The theory supports abstraction of automata via the notions of comparison 
and simulation. The algebra used to construct systems extends to an algebra 
including the abstraction mechanisms, facilitating the construction of abstrac- 
tions of larger systems. While the authors are still investigating the use of 
this technique, some indication of the benefits this approach yields are seen 
in section 4.3: abstractions may be used in conjunction with model checking 



to check larger systems; and the compositionality of the abstractions allows 
theoretical checking of families of systems. 

In addition, the authors note that the combinatorial nature of the theory 
presented here makes it ideal for machine manipulation. As mentioned in 
section 4.3 the authors are presently prototyping tools designed to facilitate 



calculation in the algebra presented in this paper. It is hoped that such tools 
will allow calculation with larger models, such as several layers of a multilayer 
network protocol, both to demonstrate the applicability of the theory and to 
further refine the ideas presented in the current work. 
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